Security Awareness not Just for Employees

by

An article I read this morning on one of my security web sites reminded me of the need for small business executives to understand that when it comes to cyber security awareness, they are also employees — but with a twist — they hold the keys to the kingdom.

While a higher percentage of CEOs and business owners now recognize the threats small organizations face from hackers than they used to, it is likewise true that cyber criminals have recognized the value of attacking them directly because they have access to the most sensitive information a company handles.

The article I read pointed to a discovery by researchers at the security software developer Trend Micro that found that 45 percent of the phishing attacks they studied directly targeted the CEO’s email address rather than everyone in the organization (anecdotally, I have seen an increase in direct attacks on CEOs, as well).

Also known as “whaling” because the CEO is considered the big fish in a company, that’s almost as many attacks against the CEO as everyone else in those organizations combined. Managing Directors and Chief Financial Officers are also frequently targeted at 9.7% and 4.8%, respectively.

What makes this important is that I encounter executives who at times consider themselves to be almost immune to the attacks their employees face.

From the article, quoting Ryan Flores of Trend Micro, CEOs and other top executives sometimes view email security mechanisms or policies as “an inconvenience to them” and because of that, they behave like they are “an exception to the rule.”

I offer this blog less as an admonishment of SMB executives as a reminder that they, too, are as susceptible to Social Engineering attacks like phishing and whaling emails as their employees. Executives need to be even more vigilant, though, as these attacks increasingly focus on them specifically and the sensitive nature of what they know and have access to.

To create a culture of Cyber Security that starts from the top down in the hierarchy of your organization, contact me personally at ericm@threatucation.com or 302-537-4198 to discuss a Cyber Security Awareness Training program tailored to you and your employees.

Five Tips to Strengthen Security in Your Law Firm

by

No profession depends more on the confidentiality, integrity and availability of its data than law firms.

The information they collect forms the basis of all of their cases. Without it, they can’t represent their clients.

Because of the nature of that data, which includes PII, PHI, confidential and proprietary information, not to mention potentially embarrassing revelations, attorneys will be in the crosshairs of cyber criminals for the foreseeable future.

In fact, an analysis of public records by Law360 found that nearly 50 law firms reported data breaches in 2020 and that most were small and boutique firms. And that’s not all …

“There are probably many more attacks than what you’ve listed here. They just have not been documented in any official way,” said Claudia Rast, co-chair of the American Bar Association’s cyber security legal task force, to Law360.

The overwhelming majority of the 50 breaches (80%) was caused by human error or insider incidents.

To strengthen your firm’s security, consider the following five tips:

  • Secure Your Mobile Devices with Passcodes, Biometric fingerprint access, and Encryption
  • Create a culture of cyber security in your firm with policy-based Security Awareness Training
  • Watch Autocomplete in Emails to avoid inadvertently sending an email to the wrong person
  • Ensure remote devices and computers get the same protection at home and on the road as in the office
  • Consider multi-factor authentication on critical entry points to your network, such as computer logins, to prevent criminals from accessing it with a stolen user name and password caught up in a data breach that had nothing to do with your firm